subject: results of the agreed-upon procedures for the it ... · from whd, sccm and the discovery...

OFFICE OF CITY AUDITOR (757) 385-5870 FAX: (757) 385-5875 TTY: 711

MUNICIPAL CENTER BUILDING 1, ROOM 344

2401 COURTHOUSE DRIVE VIRGINIA BEACH, VA 23456-9012

April 7, 2017

Darrell G. Riddick, Acting Chief Information Officer Information Technology Municipal Center, Building 2 Virginia Beach, VA 23456

Subject: Results of the Agreed-Upon Procedures for the IT Asset Management Program

Dear Mr. Riddick,

We have performed the procedures listed below, which were agreed to by the management of the Department of Information Technology (IT) with respect to the City’s IT Asset Management Program (ITAM) solely to assist the parties with the planned reorganization of the City’s IT Asset Management Program. The Department of Information Technology is responsible for managing the program, maintaining the City’s IT asset inventory and implementing the proposed changes related to the reorganization of the program.

This agreed-upon procedures engagement was conducted in accordance with Government Auditing Standards (GAS). GAS incorporates financial and attestation standards established by the American Institute of Certified Public Accountants. These standards also provide guidance for performing and reporting the results of agreed-upon procedures. The sufficiency of these procedures is solely the responsibility of those parties specified in this report. Consequently, we make no representation regarding the sufficiency of the procedures described herein either for the purpose for which this report has been requested or for any other purpose.

The Office of the City Auditor reports to City Council through the Audit Committee and is organizationally independent of all City Departments. This report will be distributed to the City’s Audit Committee, City Council, City Manager, and appropriate management within the City. This report will also be made available to the public.

The procedures and associated findings are as follows:

Darrell Riddick, Acting Chief Information Officer Results of the Agreed-Upon Procedures for the City’s IT Asset Management Program April 7, 2017

(1) Proposed plan, policies, procedures and processes related to the reorganization

of the City’s IT Asset Management Program The Department of Information Technology (IT) provides and supports communications, information, and technology solutions to enable city businesses, inform the community, improve and promote quality of life and public safety. Responsibility for the City’s IT asset management program now falls under the Information Services Administrator. The program was previously administered within System Support under the Chief Technology Officer. The recent restructuring combines part of client services with asset management to encompass the full asset management lifecycle under one program. See Exhibit 1 below. Exhibit 1. Proposed ITAM Organizational Chart

Source: City of Virginia Beach Department of Information Technology


Due to recent staff departures and hiring delays, the program currently has only two (2) employees. ITAM is responsible for customer engagement, asset management, hardware selection and configuration, software configuration and deployment and procurement. Management should: 1.1 Ensure all new processes and procedures, once implemented, are

documented, in writing, available and communicated to ITAM staff. 1.2 Provide opportunities for cross training amongst ITAM staff. 1.3 Pursue IT asset management training and corresponding certifications for

all program staff. 1.4 Establish policies regarding the types of assets to be, or not to be,

maintained by ITAM (i.e., supported assets vs mobile phones, iPads, etc) as well as the types of assets that should be accounted for at the department/program level. The policies should also address and/or establish responsibility for the procurement, accounting and safeguarding of all IT assets.

(2) Configuration and workflow set up for the new asset/service management tool

In addition to restructuring the program, IT has purchased and is currently configuring a new asset/service management tool called ServiceNow. ServiceNow uses an asset first, person second approach to document the full asset management lifecycle (planning, procurement, deployment, managing, replacement, and retirement) and the associated workflows. Current processes have been documented. Workflows are being defined. Implementation is anticipated in July 2017. ServiceNow includes an automated discovery component which will detect and record assets installed (in use) on the City’s networks. This, in conjunction with the City’s information security controls, will ensure that only authorized devices connect to the network and that we have accurate information about what devices are connected and their location on the

Exhibit 2. Asset Management Lifecycle


network.. As a result the quality of the information within the asset management tool will be greatly enhanced.

We met with the IT Service Management Team to review the implementation plan, asset configuration and progress thus far. ServiceNow is workflow driven. Development of standard asset management workflows (i.e., procurement, installation, moves, removal, replacement, and disposal) and incorporating asset management requirements within other workflows that both directly and indirectly impact the asset management lifecycle (i.e., granting and removal of employee access rights, troubleshooting, repairs and maintenance) will not only ensure consistency of services but result in complete, accurate and current information. Management should: 2.1 Incorporate asset management requirements in the development of all

workflows that impact the IT asset management lifecycle. 2.2 Identify and configure asset data fields that require input and/or updating

depending on the process and require input and/or updating of those fields. 2.3 Identify and configure triggers for input or changes to fields that impact

additional fields (i.e., Asset State and Substate). 2.4 Allow online/real time updating of asset data as workflows progress. 2.5 Design and develop reports/alerts to identify changes in asset state and/or

location. 2.6 Ensure features that allow tracking (i.e. auditing) of all changes to asset

information are activated. 2.7 Ensure that quality assurance steps are included in the workflows.

(3) IT Asset Inventory maintained in Solar Winds Web Help Desk (WHD)

A key component of asset management is the initial and ongoing inventory. Information should be accurate, complete and current. As of January 23, 2017, there were 32,810 IT hardware assets listed in WHD. Exhibit 3 provides a summary of IT Assets based on Status and Type.


Exhibit 3. IT Hardware Assets by Status and Type

Source: WHD Data Extract The City’s IT asset inventory is currently recorded and maintained within the WHD application. The current process for recording and tracking IT assets relies heavily on individual reporting and centralized manual batch processing. Uploads to WHD are not reconciled to source documentation on a regular basis, primarily due to reduced staffing; nor, is there a consistent process in place to ensure all Asset Status changes are uploaded. We reviewed the WHD asset inventory data and found a number of inconsistencies and/or omissions in key fields such as Asset Number, Serial Number, and Location. Exhibit 4 provides a summary of the inconsistencies by type. Exhibit 4. Summary of Data Exceptions by Exception Type

Source: WHD Data Extract

We compared assets in WHD assigned to the City Auditor’s Office to actual IT assets on hand. We located 24 of the 25 IT hardware assets identified in WHD; two (2) of the assets had a Status of “Received” rather than “In Service”.

We also reconciled the Surplus Inventory Listing maintained by ITAM to the 94

assets with a Status of “Surplus” in WHD. We identified eight (8) assets identified as “Surplus” in WHD that were not on the Surplus Inventory Listing.

Asset Type Disposed In Service Received RemovedRepair - Vendor Reserved Surplus Unverified

Vendor Received

Grand Total

Computer 6,877 6,533 455 440 5 2 54 87 3 14,456 Display 2,471 7,555 99 141 1 20 208 1 10,496 Network 38 1,358 78 2 1,476 Peripherals 1,052 4,538 256 96 20 140 6,102 Storage 24 244 3 7 278 Z-Other 2 2

Grand Total 10,462 20,230 888 682 5 3 94 442 4 32,810

Exception TypeNumber of Exceptions Population

Percent of Population

Duplicate Asset Numbers 10 32,810 0.03%Number of assets where Asset Number = Unverified 134 32,810 0.41%Duplicate Serial Numbers 61 32,810 0.19%Serial Number is Blank 1,400 32,810 4.27%Asset Status=Received and Date_Purchase >120 days or Blank 725 810 89.51%Asset Status=Removed and Date_Removed >120 days or Blank 646 680 95.00%Asset Status=Unverified 442 32,810 1.35%Department is Blank 720 32,810 2.19%Location is Blank and Department is Blank 517 32,810 1.58%


Management should: 3.1 Ensure a process exists to adequately monitor, review, and verify changes

to asset data. 3.2 Plan and allow for adequate time for a full reconciliation of IT asset data

prior to conversion to ServiceNow. The reconciliation should include data from WHD, SCCM and the discovery tool within ServiceNow. Discrepancies should be investigated and resolved.

3.3 Provide a dedicated, temporary position to assist with data entry and verification for the time leading up to and during transition to ServiceNow.

3.4 Perform full physical inventory and reconciliation of IT asset data periodically (i.e., every 2-3 years) to ensure data accuracy and reliability.

3.5 Perform rotating in-house site surveys in between full inventory. 3.6 Develop a process for departments to verify IT assets on hand annually.

(4) Assessment of the adequacy of the design of the proposed policies and processes to ensure appropriate recording, reporting and safeguarding of the City’s physical IT Assets and to reduce the risk of loss to an acceptable level

Based on our review of the proposed plan, the restructuring of the ITAM program, and the pending implementation of ServiceNow, we believe the proposed policies, processes and procedures, if implemented as presented and supplemented with the recommendations herein, will be adequate to ensure appropriate recording, reporting and safeguarding of the City’s physical IT Assets and to reduce the risk of loss to an acceptable level. ServiceNow includes an automated discovery component which will detect and record assets installed (in use) on the City’s networks as well as identify assets no longer in use. It’s robust reporting and dashboard features will alert ITAM staff to changes. The implementation of ServiceNow will greatly enhance the quality of the information within the asset management tool.

(5) Proposed Request for Proposal (RFP) for information technology hardware, software, maintenance and services The City procures information technology hardware, software, maintenance and services through a single Contractor. This Contractor has an integral role in the asset management lifecycle. The current agreement expires on March 31, 2017. We reviewed the proposed RFP prior to issuance and offered comments and suggestions to enhance clarity, consistency and content. The RFP was issued on February 3, 2017. Proposals were due March 10, 2017. The proposals will be evaluated by a committee consisting of representatives of IT, Management Services and user departments. An award is expected in May 2017.


(6) Follow up activities for recommendations made by the Office of the City Auditor in

the Memorandum of March 1, 2016 resulting from our investigation (16-021) into the theft of City IT assets by an employee of the IT asset management program We reviewed the department’s progress toward implementation of the recommendations from our Memorandum to management, dated March 1, 2016, resulting from an investigation into the theft of IT assets by an employee of the IT asset management program. These recommendations addressed disciplinary actions; restructuring the IT Asset Management Program; enhanced data accumulation; Integrity Connection and Fraud Waste and Abuse training for all employees; enhancements to physical security and the general safeguarding and disposal of surplus IT equipment; departmental adherence to City policies and hiring practices. These recommendations were issued as preventive and detective measures to assist in minimizing the risk of loss to the City. IT has made significant progress in addressing these recommendations starting with the restructuring of the IT Asset Management Program and the pending implementation of the new asset/service management tool, ServiceNow. The City’s Administrative Directive related to Fraud, Waste and Abuse Prevention and Reporting is spotlighted on the homepage of the department’s VBnet site and a presentation by the City Auditor about the City’s Fraud, Waste and Abuse Prevention and Reporting Program is scheduled for the next full departmental staff meeting scheduled for July 18, 2017.

Enhancements made to strengthen physical security include significantly reduced access to storage areas and installation of additional security cameras that now monitor all access points. IT Management is working with Facilities Management to find a better location for ITAM. In the meantime, disposal is scheduled biweekly or as often as needed to ensure items awaiting disposal in the hallway are there for as short a time as possible. The current configuration of Building 17, unfortunately does not have adequate space to provide secure storage of all equipment ready for disposal. It is the policy of the department to abide by all City policies. Policies are accessible on the department’s VBnet site and emphasized at departmental staff

meetings.

Exhibit 5. Building 17 Assets awaiting Disposal

subject: results of the agreed-upon procedures for the it ... · from whd, sccm and the discovery...

Documents